The Information Commissioner’s Office has fined Ticketmaster UK Limited £1.25million for failing to keep its customers’ personal data secure.
The ICO found that Ticketmaster failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page. This failure to protect customer information was a breach of the GDPR.
The chat bot was provided by a third party called Inbenta and had been hacked to allow personal data to be scraped and sent back to the attacker. Ticketmaster’s decision to use the chat bot on its payments page meant that the personal data scraped by the malicious code included financial and card data including names, payment card numbers expiry dates and CVV numbers.
The data breach affected around 9.4 million of Ticketmaster’s customers across Europe including 1.5 million in the UK. An investigation by the ICO found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.
The ICO found that Ticketmaster failed to:
- Assess the risks of using a chat-bot on its payment page;
- Identify and implement appropriate security measures to negate the risks; and
- Identify the source of suggested fraudulent activity in a timely manner.
Monzo Bank customers first started reporting fraudulent transactions in February 2018. Monzo reported it to Ticketmaster although initially Monzo struggled to get beyond Customer Service.
Several banks other reported suggestions of fraud to Ticketmaster and there was even a security expert on Twitter who pointed it out to them in detail, but Ticketmaster failed to accept there was a problem. In total, it took Ticketmaster nine weeks from being alerted to possible fraud to monitoring the network traffic through its online payment page. By that time, significant damage had been done.
The ICO initially proposed a fine of £1.5 million but after representations by Ticketmaster which included an appeal based on the appalling year the company is having in 2020 due to Covid, the fine was reduced to £1.25millon.
Although the breach began in February 2018, the penalty only relates to the breach from 25 May 2018, when the GDPR came into force. The chat-bot was completely removed from Ticketmaster’s website on 23 June 2018.
The decision was published on 13 November 2020 and Ticketmaster has 28 days to appeal.
Comment -What can we learn from this?
1/ Always do your own security checks. Don’t just rely on a contractual provision that says any software will be free of malicious code. Especially when putting a third party chat bot on your payments page.
2/ Act quickly. Clearly Ticketmaster didn’t act quickly enough when the potential issue was first highlighted to them. It goes without saying that any complaint or suggestion of fraud should always be dealt with as quickly and effectively as possible. What is slightly odd, is that the investigation unearthed the fact that Ticketmaster instructed four different forensic companies to investigate the issue.
3/ And if there is a breach, collect as much information as possible and instruct lawyers to act on your behalf. Whoever acted for Ticketmaster helped reduce that fine thus saving them £250,000.